- CheckMates
- :
- Products
- :
- General Topics
- :
- Renew external (3rd party) certificate for IPSEC V...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Renew external (3rd party) certificate for IPSEC VPN
Hi,
I want to renew external certificate in IPSEC VPN TAB as it will expire soon. I have gone thru some docs and came to know that,
In a typical SSL configuration, you receive all the necessary certificates after you generate the CSR Code and your CA validates your request. After the CA signs an SSL Certificate, it sends a ZIP folder with the installation files to the applicant’s email.
Since Checkpoint VPN works the other way around, you have no choice but to contact your SSL vendor and ask for the x509/pem versions of your root and intermediate certificates. then generate CSR and give it to vendor for certificate generation.
Is this the method I need to follow?
Can someone please share step-by-step procedure to renew external certificate for VPN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which is it?
In any case, I suspect you will follow the same process you followed to install the third party certificate to begin with.
That may mean recreating the OPSEC CA key (if that changed).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi PhoneBoy,
Thanks for reply.
I am talking about below certificate.
Trusted CA is already generated for this certificate but now it is about to expire so I have to generate new CA? Can you please share steps to renew this certificate?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By adding a new one you get a CSR to view. Copy this and get it signed by your CA (digicert). Then you complete the CSR with the cert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok. So when I remove cert, that wildcard FQDN will be impacted?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Delete the old one and publish the changes but don't do a policy push. After that you can do the CSR and request/install the new cert with little or no downtime.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So we need a no change window for them? Customer expects it to take 2-3 days to get it signed, so no change window for that long? And if they have to make a change, we roll back to a migrate export we'll take before the change?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am too wondering if there is a lengthy time between when the CSR is generated and the Cert is installed if a CRL is checked and the tunnels goes down because the old cert is revoked?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This whole thread is full of really great questions. Questions that I have not seen any good answers to from Checkpoint anywhere. The fact that you can't generate a CSR without a CA is beyond bizarre to me and I can't think of any good reason for that. The additional limitations to having more than one certificate to a "CA object" and not being able to have two identical cert chains referenced in different "CAs objects" make it impossible to use two certificates from the same CA using the same cert chain.
Certificate changes are a routine operational task and it should be as simple as generate a CSR (no need for CA cert chain ahead of time) get the CSR signed by 3rd party, upload signed certificate bundle to complete the installation, and then change the reference to the certificate used for whichever service needs a cert change. None of that should be disruptive in any way and when the certificate reference is changed the new public key and certificate get provided for any connections established after that point. Fallback is as simple as changing the reference back to the old certificate.
I am blown away at how complicated such a simple task is for Checkpoint to pull off.
